Distributed denial-of-service (DDoS) attacks continue to threaten the availability and integrity of critical Internet infrastructure upon which the society relies more heavily than ever before. The extremely high volume and distributed nature of modern DDoS attacks render traditional “edge-defense” solutions (either victim-side or attack-source-side) less effective. This thesis studies in-network DDoS filtering, i.e. filtering traffic inside the Internet, that aims to address these problems by distributing the workload of filtering DDoS traffic at strategically chosen locations inside the Internet. This dissertation conducts a systematic study of three different aspects of an effective and deployable in-network DDoS defense, including: 1) in-network defense incentives, 2) in-network defense filter placement strategies, and 3) in-network defense filter placement algorithm design and evaluation. This dissertation not only shows that the majority of the Internet Service Providers (ISPs) have incentive to participate in in-network DDoS defense, but also examines in-network defense strategies, including proposing a new one, and describes the design and evaluation of an effective in-network filter placement algorithm.

This dissertation includes previously published co-authored materials.